Query - Authentication/Authorization
This example shows how to control the permission of a user to query the data of a collection using the [QueryAuth]
-Attribute.
Usage
The [QueryAuth]
-Attribute can be used on the model class and/or on specific fields/properties of the model
Demo
Example - Only authenticated
This example shows the basic usage. When you only use the attribute the user has to be authenticated.
\f:(typescript:Angular) export class QueryAuthComponent implements OnInit {\n \tvalues$: Observable<any>;\n\n \tconstructor(private db: SapphireDbService) {}\n\n \tngOnInit() {\n \t\tthis.values$ = this.db.collection('AuthDemo.RequiresAuthForQueryDemos').values();\n \t}\n } \f:(csharp:Model.cs:Server) [QueryAuth]\n public class RequiresAuthForQuery : Base\n {\n \tpublic string Content { get; set; }\n }
Example - Only admin
This example shows how to use policies to check if the user allowed to query.
\f:(typescript:Angular) export class QueryAuthComponent implements OnInit {\n \tvalues$: Observable<any>;\n\n \tconstructor(private db: SapphireDbService) {}\n\n \tngOnInit() {\n \t\tthis.values$ = this.db.collection('AuthDemo.RequiresAdminForQueryDemos').values();\n \t}\n } \f:(csharp:Model.cs:Server) [QueryAuth("requireAdmin")]\n public class RequiresAdminForQuery : Base\n {\n \tpublic string Content { get; set; }\n } \f:(csharp:Startup.cs:Server) public void ConfigureServices(IServiceCollection services)\n {\n \tservices.AddAuthorization(config =>\n \t{\n \t\tconfig.AddPolicy("requireAdmin", b => b.RequireRole("admin"));\n \t});\n }
Example - Custom function
This example shows how to define a custom static function that checks if the user is allowed.
\f:(typescript:Angular) export class QueryAuthComponent implements OnInit {\n \tvalues$: Observable<any>;\n\n \tconstructor(private db: SapphireDbService) {}\n\n \tngOnInit() {\n \t\tthis.values$ = this.db.collection('AuthDemo.CustomFunctionForQueryDemos').values();\n \t}\n } \f:(csharp:Model.cs:Server) [QueryAuth(functionName: "CanQuery")]\n [QueryAuth(functionName: "CanQuery2")]\n public class CustomFunctionForQuery : Base\n {\n \tpublic static bool CanQuery(HttpInformation httpInformation)\n \t{\n \t\treturn httpInformation.User.IsInRole("admin");\n \t}\n\n \tpublic static bool CanQuery2(HttpInformation httpInformation)\n \t{\n \t\treturn httpInformation.User.IsInRole("user");\n \t}\n\n \tpublic string Content { get; set; }\n }
Example - Custom function per entry
This example is a bit special. The user is allways allowed to query information and the check for permission is made for each entry. All entries that are not allowed to get queried will just get omitted.
This example also demonstrates how to use multiple auth attributes. Both attributes define a different condition and only one has to succeed.
\f:(typescript:Angular) export class QueryAuthComponent implements OnInit {\n \tvalues$: Observable<any>;\n\n \tconstructor(private db: SapphireDbService) {}\n\n \tngOnInit() {\n \t\tthis.values$ = this.db.collection('CustomFunctionPerEntryForQueryDemos', 'AuthDemo').values();\n \t}\n } \f:(csharp:Model.cs:Server) [QueryEntryAuth(functionName: "CanQuery")]\n [QueryEntryAuth(functionName: "CanQuery2")]\n public class CustomFunctionPerEntryForQuery : Base\n {\n \tpublic bool CanQuery(HttpInformation httpInformation)\n \t{\n \t\treturn Content == "Test 1";\n \t}\n\n \tpublic bool CanQuery(HttpInformation httpInformation)\n \t{\n \t\treturn Content == "Test 2";\n \t}\n\n \tpublic string Content { get; set; }\n }
Example - Authorization for fields
This example shows how to handle authorization on fields.
\f:(typescript:Angular) export class QueryAuthComponent implements OnInit {\n \tvalues$: Observable<any>;\n\n \tconstructor(private db: SapphireDbService) {}\n\n \tngOnInit() {\n \t\tthis.values$ = this.db.collection('AuthDemo.QueryFieldDemos').values();\n \t}\n } \f:(csharp:Model.cs:Server) public class QueryFields : Base {\n \t[QueryAuth]\n \tpublic string Content { get; set; }\n\n \t[QueryAuth("requireAdmin")]\n \tpublic string Content2 { get; set; }\n\n \t[QueryAuth(functionName: "CanQuery")]\n \tpublic string Content3 { get; set; }\n\n \tprivate bool CanQuery()\n \t{\n \t\treturn Content == "Test 1";\n \t}\n }